report of the auditor-general on the audit of the ...of+energy.pdf0report of the auditor-ge neral on...

Report of the Auditor-General on the Information Technology of the Ministry of Energy

REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE INFORMATION TECHNOLOGY SYSTEMS OF THE

MINISTRY OF ENERGY

TABLE OF CONTENTS

Pages

Transmittal letter.………………………………………… i-ii

Executive summary. ……………………………………… 1

Introduction ……………………………………………… 1

Background ……………………………………………… 1

Scope and objective of audit ……………………………… 2

Audit approach …………………………………………… 3

Overall conclusion ………………………………………… 3-6

Limitation of scope and responsibility…………………… 6

ANNEX A: Detailed findings and recommendations…… 7

A.1 Overall it policy and strategy ……………………… 7-11

A. 2 IT Asset management ……………………………… 12-15

A. 3 Service level agreement …………………………… 16-18

A. 4 IT security (including physical and logical access to the systems) …………………….. 19

A. 4.1 Physical access control …………………………… 19-22

A. 4.2 Logical access control ……...……………………. 23-26

A. 5 Business continuity planning …………………… 27-30

TRANSMITTAL LETTER

Ref. AG01/109/Vol.2

Office of the Auditor-General Ministries Block O

P. O. Box MB96 0Accra

Tel. (021)662493

Fax (021662493

30 December 2009

Dear Madam Speaker,

REPORT OF THE AUDITOR-GENERAL ON THE

INFORMATION TECHNOLOGY SYSTEMS OF THE MINISTRY OF ENERGY

I have the honour to submit to you for presentation to Parliament my audit report on the Information Technology (IT) systems of Ministry of Trade, Industry, Private Sector Development and President Special Initiatives, in accordance with Article 187(2) of the 1992 Constitution and Sections 11(1) and (3) and 16 of the Audit Service Act 2000, Act 584. My office is mandated, among other things, to review computerised financial and accounting systems including electronic transactions of public institutions and approve the form in which these are kept. I am also mandated to carry out in the public interest such special audits or reviews as I consider necessary and to submit reports on the audits or reviews undertaken by me to Parliament.

Report of the Auditor-General on the Information Technology Systems of the Ministry of Energy

2. This report has been prepared by staff who have been professionally trained under the European Union capacity building

i

project in conducting IT Audits to internationally recognised standards and best practice. The team that carried out the audit comprised Mr Charles Okutu (Leader) and Ms Kate Dangbe, Auditors, under the supervision of Ms Beatrice M. Akintomide, Financial and IT Audit Consultant of the UK National Audit Office and Mr. Augustine R. K. Boadu, Deputy Auditor-General.

3. The report reveals, among other things, weaknesses in managing the Ministry’s information systems, such as:

a) an antiquated IT system which was on the verge of collapsing;

b) poor controls over user access to data; c) risk of multiple passport issuance; and d) lack of arrangements for ensuring continuity of business

operations should the IT system fail or in the event of a disaster, and makes recommendations to address these lapses.

4. I would like to thank my staff for their assistance in the preparation of this report and the staff of Ministry of Energy for the assistance offered to my officers during the period of the audit. 5. I trust that this report will meet the approval of Parliament.

Yours faithfully

RICHARD Q. QUARTEY 1 Ag. AUDITOR-GENERAL

2THE RT. HON. SPEAKER 3OFFICE OF PARLIAMENT 4PARLIAMENT HOUSE 5 ACCRA

Report of the Auditor-General on the Information Technology Systems of the Ministry of Energy

ii

Report of the Auditor-General on the audit of the Information Technology Systems of the

Ministry of Energy

1

0REPORT OF THE AUDITOR-GENERAL ON THE AUDIT OF THE INFORMATION TECHNOLOGY SYSTEMS OF THE

MINISTRY OF ENERGY

3Executive summary 4Introduction

An IT audit of the Ministry of Energy’s business critical systems and

processes has been carried out in accordance with the statutory

requirement of section 11 (1) and (3) of the Audit Service Act, 2000,

Act 584 which requires that the Auditor-General review computerized

financial and accounting systems and approve the form in which these

are kept.

Background

2. The Ministry of Energy (MOEn) is a government institution

whose mission is to provide an enabling environment for all

stakeholders for the judicious exploration, exploitation, harnessing,

and management of energy in an efficient, cost effective and

sustainable manner.

3. Its vision is to enable Ghana become a net exporter of fuel and

power.

4. The Ministry of Energy has the responsibility for developing and

implementing energy sector policy in Ghana and also supervises the


Ministry of Energy

2

operations of the Volta River Authority, Bulk Oil Storage and

Transportation Company Limited (BOST), Tema Oil Refinery (TOR)

Ltd, Ghana National Petroleum Corporation (GNPC), Ghana Cylinder

Manufacturing Company (GCMC) Ltd, Energy Commission, The

Ghana Energy Foundation (GEF), Electricity Company of Ghana

(ECG), Ghana Oil Company Limited (GOIL), National Petroleum

Authority (NPA), Ghana Grid Company and the Bui Power Authority.

Scope and objective of review

5. The objectives of the audit were to:

• review and appraise the controls and procedures operated by

management to ensure that information is reliable and the

continued integrity of the business critical systems is

safeguarded;

• assess the effectiveness of the overall management control

over the IT function of the organisation; and

• Provide a report highlighting any weaknesses and

recommending corrective action.

6. This audit evaluated the effectiveness of the general controls

surrounding the information systems of MOEn. Our planned audit

scope included review of business critical systems, but due to the

absence of a business critical system, the review focused on the IT

control environment and the IT service management arrangements.


Ministry of Energy

3

Our fieldwork was performed at MOEn’s premises located in the

Ministries, Accra. The audit covered the following key processes:

• overall IT policy and strategy;

• service level agreement;

• IT security (including physical and logical access to the

systems);

• IT Asset management; and

• business continuity planning

5Audit approach

7. The audit was undertaken in accordance with international

auditing standards issued by the International Auditing and Assurance

Standards Board (IAASB), International Organisation of Supreme

Audit Institutions (INTOSAI) and the Information Systems Audit and

Control Association (ISACA). We also took account of best practice

in IT Service Management. The audit covered the information systems

arrangements in place as of August, 2008 and was carried out by a

team of specialist IT auditors.

6Overall Conclusion

8. The audit concluded that the Ministry of Energy’s current IT

arrangements are inadequate and not capable of meeting the needs of

the organisation.


Ministry of Energy

4

9. The Ministry does not have IT Strategy, IT policies and

procedures in place. The absence of such policies and procedures

increases the risk of the acquisition or development of systems which

are unsuitable for business needs or not in line with corporate

objectives and priorities.

10. There are no formal arrangements in place for securing the

Ministry’s building and equipment. This increases the risks of damage

to expensive and vital equipment and unauthorised disclosure,

creation, alteration or deletion of data.

11. The Ministry did not maintain complete and accurate records of

its IT assets. The Ministry has not developed formal policies and

procedures to identify and ensure accountability of hardware.

12. The review identified a number of significant issues that

require management’s immediate attention. These relate to:

• the absence of an IS/IT strategy approved by senior

management (High priority),

• absence of an IT Department (High priority);

• the absence of an IT security policy (High priority);

• the lack of proper controls over user access to the internet

(Medium priority);


Ministry of Energy

5

• absence of proper arrangements for backing up data (Medium

priority);

• the absence of an IT asset register (Medium priority);

• inadequate control over internet access and usage (Medium

priority); and

• The absence of a business continuity plan (High priority).

13. We invited senior management’s response to the issues raised and

on the factual accuracy of the contents of this report. Our observations

and detailed recommendations are set out in Annex A.

14. The weaknesses identified have been prioritised based on their

level of significance. The priority ratings applied in paragraph 12

above and in the Annexes are explained below:

• High (H): A business issue or control weakness of such

fundamental significance and/or financial materiality to the

organisation that it requires the immediate action of line and

senior management, with a priority for resolution.

• Medium (M): A business issue or control weakness of such

substantial importance to the organisation that it requires the

immediate attention of line management and an agreed action

plan for resolution.


Ministry of Energy

6

• Low (L): An administrative control issue of significance but of

relatively low financial materiality. Although this does not

warrant immediate attention, an agreed action plan should be

established.

1 2Limitation of scope and responsibility

15. As at the time of the audit there were no corporate IT systems

in place. Use of information technology was restricted to Microsoft

office applications. We were therefore unable to review application

controls and could not express an opinion.

16. We reviewed the management controls operated by the

Ministry of Energy only to the extent possible and necessary for the

effective performance of this audit. As a result, our review may not

have detected all weaknesses that exist or all improvements that could

be made. We have prepared this report solely for your use, and use

within your organisation. Its contents should not be disclosed to any

third parties without our consent. We would not accept any

responsibility for any reliance the third party might place upon it.


Ministry of Energy

7

ANNEX A: DETAILED FINDINGS AND RECOMMENDATIONS

7A.1 Overall IT policy and strategy

16. We sought assurance that the MOEn system under review is

consistent with MOEn current corporate and IT strategies, and is

subject to adequate levels of corporate governance.

17. We noted however that:

• the Ministry of Energy did not have appropriate policies and

procedures in place to facilitate its contribution to the

achievement of the Government of Ghana’s (GOG’s)

commitment to ICT development, as contained in the

Ministerial Policy Statement on ICT;

• the Ministry does not have an IT department; and

• the Ministry was unable to provide us with a business case

(The information required for an organisation to decide

whether a project should proceed or justification for setting

up and continuing a project) to support the Internet system

that was in place. We were therefore unable to gain assurance

that the Internet system was in line with corporate priorities.


Ministry of Energy

8

Risks

18. The absence of an IT department basically means that IT

activities will not function well and also issues concerning IT will be

handled less professionally.

19. The absence of an IT strategy could lead to the development of

systems that are unsuitable for business needs and also a directionless

IT unit.

Recommendation 1

20. Management should establish a formal IT department that should

be managed by well-trained and qualified personnel. Management

should also ensure that an Organisational chart which shows the

structure and designation of the various heads of departments/

directorate is drawn up.

Management’s response

21. Establishment of an IT department is yet to be done but a well

structured organogram has been put in place.

Ownership: HRD/M Directorate

Timescale: June 2009


Ministry of Energy

9

Recommendation 2

22. There should be an IT Committee appointed by senior

management and should include representatives from senior

management, user management and Information System department

(IS) to:

• review long and short range plans of the IS department to ensure

that they are in accordance with the corporate objectives;

• review and approve major acquisitions of hardware and software

within the limits approved by management;

• approve and monitor major projects and the status of IS plans and

budgets, establish priorities, approve standards and procedures

and monitor overall IS performance; and

• review and approve outsourcing strategies for selected IS

activities.


23. Due to transfers and resignation of staff, the IT committee

meetings have not been effective over the years and will be revamped

as soon as possible.

Ownership: Chief Director/Finance & Administration Directorate

Timescale: July 2009


Ministry of Energy

10

1 4Recommendation 3

24. There should be an IT strategy in place and should:

• follow the corporate business strategy;

• be reviewed annually to check that its assumptions and decisions

remain valid;

• be made known to staff. Staff should be kept informed of the main

issues in the IT strategy; and

• be approved by senior management


After the Ministry’s Policy Statement, management is yet to initiate a

process for an IT Strategy.

Ownership: PPME/Finance and Administration Directorate

Timescale: December 2009

Recommendation 4

25. The internal audit function should be strengthened and trained in

IT audits to be able to review IT systems to prevent, detect and correct

control weaknesses and errors.


Ministry of Energy

11

Management ‘s response

26. Management said that it would train personnel of the Internal

Audit Section in the IT related systems.

Ownership: HRM/D Directorate



Ministry of Energy

12

8A2. IT Asset management

Introduction

27. IT asset management arrangements allow organisations to

optimise their use of IT assets to achieve business goals.

28. Maintaining and distributing assets across an organisation,

ensuring staff have the tools they need to do their jobs is difficult and

costly when the assets cannot be readily found. Knowing where the

assets are, how they are configured, and how they are used allows an

organisation to ensure that these assets are in the right place at the

right time, properly equipped and supported.

9Observation

29. We sought assurance that adequate records are maintained on all

components of the IT infrastructure. We also reviewed records held to

ensure that there is economy in the acquisition of computers and

peripherals; they are recorded in store records, their disbursements are

covered by the necessary documents with authorization from the

appropriate management quarters, and can be traced from acquisition

to disposal.


Ministry of Energy

13

30. We noted that:

• whilst some of the computers were indelibly marked to indicate

that the Ministry owns them, others, especially the new

computers, were not;

• some obsolete and unserviceable computers and their

accessories have been dumped under the staircase on the

ground floor of the ministry’s building, contrary to Section

83(1) of the Public Procurement Act 2003 (Act 663) states that

the Head of a procurement entity shall convene a Board of

Survey comprising representatives of departments with

unserviceable, obsolete or surplus stores, plant and equipment

which shall report on the items and subject to a technical report

on them, recommend the best method of disposal after the

officer in charge has completed a Board of Survey form;

• The Ministry does not have an asset register;

• The IT Head/Emetron is not consulted in the purchases of IT

equipment for the Ministry; and

• The Ministry did not undertake regular asset verification

exercises.

31. Risks

• Without a comprehensive IT asset management programme in

place, IT assets can cost far more than necessary through waste,

redundancy and expensive maintenance.


Ministry of Energy

14

• In the absence of an effective asset management control, fraud

could be perpetuated. Spurious pricing of IT equipment could

increase financial loss to both Ministry and the State.

Undeserving suppliers could be given contracts.

• The absence of an asset register detailing the quantities

bought, location, make, serial numbers, date of purchase, and

the failure of the Ministry to undertake regular asset

verification exercise could lead to loss of assets and high cost

of replacement.

Recommendation 5

32. The Ministry should consider developing an effective IT asset

management programme that will link asset management strategy to

both IT strategy and overall business strategy.


33. Management responded that it would ensure that an effective IT

asset management programme was implemented.

Ownership: Director Finance and Administration Directorate.



Ministry of Energy

15

Recommendation 6

34. Management should ensure that an asset register is maintained

and promptly updated to reflect all additions and disposals. All IT

assets should be indelibly marked to indicate that the Ministry owns

them.


35. Management would ensure that the Estate Unit is provided with

the requisite materials to mark all the Ministry’s assets.

Ownership: Finance and Administration Directorate


Recommendation 7

36. Management should dispose of the obsolete and unserviceable

items dumped at the Ministry in accordance with the provisions made

in the Procurement Act 2003 (Act 663).


37. Management has set up a committee to address the above.


Timescale: November 2008


Ministry of Energy

16

A3. Service Level Agreement (SLA)

Introduction

38. An SLA is a formally negotiated agreement between two parties.

It is a contract that exists between customers and their service

providers. It records the common understanding about services,

priorities, responsibilities, guarantee, and the level of service. SLAs

allow users of services to specify and agree, preferably in writing,

what levels of service, in terms of quantity and quality, they should

receive. SLAs are in effect service delivery contracts.

39. The Ministry has no SLA with any of its Internet service

providers.

40. The Ministry of Energy entered into contract agreement with

Geosat Technologies also known as Emetron Technologies on 26

November 2003 for the installation of a two-way satellite internet

system and local area network for 115 workstations. The two Internet

service providers are Internet Ghana and Internet Solutions. Internet

Solution provides a Very Small Aperture Terminal (VSAT) for

management staff, and Internet Ghana is the provider of broadband

Internet service.

41. On 29 November 2004 the Ministry again entered into a contract

with Emetron Technologies for the maintenance of Services provided


Ministry of Energy

17

in the first (above) contract. An addendum to the latter contract was

signed on 3 August 2006.

42. On 16 May 2007 a renewal of Maintenance Service Contract was

signed between Ministry of Energy and Emetron Technologies Ltd.

The parties agreed to extend the maintenance contract for a further

two-year period.

43. We however noted the following:

• the local area network at the time of the audit had increased to

over 200 workstations. There was no network diagram

available;

• Emetron was not able to periodically update the Ministry’s

website as stated in the contract. The Ministry pays for

quarterly website update services and hosting maintenance

services.

• the Contractor was not able to carry out training of staff to

enable them operate all equipment installed under the

contract; and

• as stated in the contract a staff of Emetron was to be present

in the server room during all working days and to provide

first line support involving operational, supervisory and

advance maintenance to ensure the desired status of operation


Ministry of Energy

18

of the servers and networks. During the time of the audit the

representative was sometimes not available.

1 3Risk

44. In the absence of a Service level Agreement it will be difficult to

assess the effectiveness of the Internet Service provider over a period.

Recommendation 8

45. Management should ensure that a member of staff of Emetron is

present in the server room during working days to provide first line

support involving operational, supervisory and advance maintenance

to ensure the desired status of operation of equipment and networks.


46. Management would ensure that Emetron provides effective

supervision of the Ministry’s network.




Ministry of Energy

19

1 0A4. IT Security (including physical and logical access to the

systems)

1 1A4.1 Physical access control

Observation

47. We reviewed physical security to ensure that hardware, software,

data, processes, documentation, personnel, buildings and the computer

environment were physically safeguarded from damage, misuse or

unauthorised access.

48. We established that:

• the various offices where the computers were located had

security locks;

• most of the offices had air-conditioners and humidity was

controlled;

• each floor had fire extinguishers that were last serviced in

Nov. 2007. They are due for servicing in Nov. 2008; and

• there is a fire hydrant in place.

49. We noted however that:

• management had not established a documented physical

security policy;


Ministry of Energy

20

• visitors were not issued with visitor passes and they are not

always asked to sign the visitors’ book;

• there were no smoke and water detectors;

• the Server room was located on the ground floor; and

• access to the Server room is currently not restricted to

unauthorised personnel.

50. Risks

• The absence of a physical security policy document increases

the risk of inappropriate working practices being adopted.

• The absence of appropriate physical security procedures

increases the risks of damage to expensive and vital

equipment and the unauthorised disclosure, alteration or

deletion of data.

• Unrestricted access to the server room will increase the risk

of damage to/loss of expensive IT equipment.

• Failure to issue visitors with visitor passes prevents easy

identification. This increases the risk of unauthorised access

to vital information and IT assets.


Ministry of Energy

21

• The location of the server room on the ground floor increases

the risk of water damage during flooding and other natural

disasters.

Recommendation 9

51. Management should establish a documented physical security

policy. Copies should be issued to all staff.


52. Management would develop and ensure that a physical IT

security policy is documented and distributed to all staff.

Ownership: Director Finance and Administration Directorate


Recommendation 10

53. Access to the Server room should be restricted to unauthorised

persons by placing an “out of bounds” note at the entrance.

Management Response

54. Management would ensure maximum security at the server

room.




Ministry of Energy

22

Recommendation 11

55. All visitors should be made to sign the visitors’ book on arrival

and when leaving the Ministry’s building. They should be issued with

visitors’ passes which should be worn at all times.


56. Management has already put in place measures to address these

issues.




Ministry of Energy

23

A4.2 Logical access control

Observation

57. The computers in the Ministry were networked for Internet and

intranet purposes. Internet Ghana and Internet Solution provide the

Internet service. There were three servers in use. The head of IT and

the representative of Emetron acted as system administrators. The two

system administrators are responsible for assigning user identification

(ID) and passwords.

58. We however noted that:

• access could be gained by simply switching on the computer.

This was revealed after a walkthrough test on some

computers;

• some computers do not have anti-virus software. Those with

anti-viruses are using unlicensed anti-virus software;

• the Ministry of Energy does not have a documented policy on

user access management;

• whilst users have been assigned user identifiers, they

generally do not set up their passwords;

• internet usage is not monitored for unauthorised activities

such as downloading pornographic materials, music and

videos during working hours;


Ministry of Energy

24

• there were no controls over idle terminals; and

most staff members are not aware of the existence of the

intranet.

59. Risks

• The absence of a documented policy on user access

management could lead to unauthorised and inappropriate

access being gained to the network and client data. This

poses risks to the confidentiality, integrity and availability

of data;

• The absence of an identification and authentication process

before access is gained increases the risk of unauthorised

and inappropriate access to applications and data. This

poses a risk to the confidentiality and integrity of data and

prevents accountability should changes be made;

• The absence of a dedicated in-house system administrator

could lead to delay in handling security incidents;

• The use of pirate copies of software contravenes the

copyright Act 2005 (Act 690) and can cause embarrassment

to the Ministry should the breach be detected by the

copyright monitoring team or worst still, by the Federation

Against Software Theft or similar international

organisations enforcing anti-piracy regulation; and


Ministry of Energy

25

• The failure to scan the contents of e-mails and monitor internet

access leaves the Ministry open to liability as it is responsible for

the activities of its staff whilst they are using corporate network.

Recommendation 12

60. Ministry of Energy should formally document its policy and

procedures for managing user access. The documented procedures

should cover how access to both the network and individual

applications will be restricted.


61. Management would ensure that all IT policies and procedures are

well documented to cover both network and individual applications.

Ownership: PPME/Finance and Administration Directorate


Recommendation 13

62. The Ministry should acquire anti- virus software to ensure that

the required number of licences is held and that software-licensing

agreements are not breached.


63. Management has already acquired licensed antivirus software.


Timescale: November 2008


Ministry of Energy

26

Recommendation 14

64. The Ministry should establish an IT department that incorporates

an IT help desk, and should transfer responsibility for system

administration to appropriate IT staff.


65. Management would establish an IT department with the requisite

staff.

Ownership: HRM/D Directorate


Recommendation 15

66. Management should ensure that access to known inappropriate

sites should be prevented. Regular reports should also be run on

websites accessed and those who spend unreasonable amount of time

accessing the internet or who visit non-work related/inappropriate

sites should be cautioned. Persistent offenders should be subjected to

disciplinary proceedings. Management should also consider the use of

firewall (software or hardware).


67. Management would procure e-mail content scanning/web

filtering tool.

Ownership: Director Finance and Administration



Ministry of Energy

27

1A5. Business continuity planning and overall IT service

management

2Observation

68. We sought assurance that arrangements are in place to ensure

that all risks to business systems, infrastructure, applications, data and

personnel are identified and managed and that, systems and

applications can be recovered within specified time scales in the event

of a disaster or disruption of the IT service.

69. We noted that:

• the MOEn has not assessed the risks faced by all its IT systems.

This prevents proactive management of those risks. Should the

threats materialise, the impact on the organisation is likely to be

significant;

• there are no formal arrangements in place for ensuring that the

IT system is available to users in the event of a disaster such as

fire outbreak;

• there are no structured arrangements in place for managing

changes to the IT infrastructure;

• There is no help desk to handle software malfunctions and user

problems; and

• the MOEn has a backup server, but backup of data and

information is made on pen drives and other storage devices.

The server is most often idle.


Ministry of Energy

28

70. Risks

• There could be loss of service to users, loss of credibility,

incomplete/inaccurate records and political embarrassment

in the event of a disaster;

• The absence of an adequate, up-to-date and regularly tested

business continuity plan means MOEn may not be able to

continue operation in the event of a disaster or failure of its

IT systems; and

• Where anti-virus software is not operated regularly, viruses

can be inadvertently downloaded to the network. This could

lead to infection, corruption and eventual destruction of

critical business data.

Recommendation 16

71. The MOEn should undertake a comprehensive assessment of the

risks faced by all its systems and business critical processes and the

likely impact of those risks on the organisation.


72. Management would ensure that comprehensive assessments of

all risks are undertaken.




Ministry of Energy

29

Recommendation 17

73. There should be a help-desk to handle software malfunctions and

user problems.


74. Management would establish a help-desk which will be

incorporated into the IT department to handle malfunctions and help

users.

Ownership: Director, Human Resource Directorate


Recommendation 18

75. Management should ensure that Business Continuity and

Disaster Recovery Plans are in place to enable business operations to

continue should the Ministry’s main buildings and IT Systems become

unavailable.


76. Management would establish an appropriate plan for its building

and IT systems.




Ministry of Energy

30

Recommendation 19

77. Management should ensure that an IT Disaster Recovery Plan is

compiled and approved by senior management. Once compiled, the

document should be reviewed, at least annually and updated to reflect:

• the correct description of IT equipment in use; and

• home and mobile contact numbers of key officers

78. The document should be dated, version controlled and copies

issued to key officers. Copies should be stored securely off-site.


79. Management would ensure that IT Disaster Recovery Plan is

prepared.



report of the auditor-general on the audit of the ...of+energy.pdf0report of the auditor-ge neral on...

Documents